Bring your own device - a concern for organizations?: A thesis about tech organizations awareness and management of smartwatches

(1)

Faculty of Technology Department of Informatics

Bring your own device – a concern for organizations?

A thesis about tech organizations awareness and management of smartwatches

Author: Fredrik Årman Author: Simon Gustavsson Supervisor: Lars Magnusson

Examiner: Patrik Elm & Sadaf Salavati

(2)

Abstract

With 5G around the corner and an overall increase in a faster and more stable internet connection, the future of Internet of Things (IoT) looks bright. There is a steady increase in the development of IoT devices, such as the smartwatch, and a high increase in usage of IoT, both by organizations and private citizens. Organizational managing of a smartwatch falls under the “Bring your own device” (BYOD) policy which allows employees to do work on their private devices. It appears to be a lack of knowledge in organizations on how to manage IoT devices both regarding policies and technical IT security. There has been an increase in malware attacks against IoT devices, and compromised smartwatches could be used to gain unauthorized access to organizations’ networks. The smartwatch is a common and powerful IoT device and will be used as an example in this thesis which purpose is to examine how organizations’ perceive and manage IoT devices, focusing on the smartwatch in order to gain insight regarding whether IoT devices such as the smartwatch is an area of concern within organizations.

To understand the smartwatch, understanding IoT first will be important. The literature review delves into both IoT and smartwatch functionality and security. It looks at the BYOD policy and technical IT security solutions regarding the smartwatch. The review pointed to there being IT security issues with smartwatches and that implementing a BYOD policy increases productivity but increases the risk of malware attacks from and against the allowed devices. To fulfill the thesis purpose, qualitative interviews with high ranking IT security personnel at tech organizations were performed, thematized, and analyzed. The most prominent results are discussed;

if the smartwatch is a threat and possible technical solutions for prevention, the organizations customer businesses IT security level, and BYOD policy.

The results from the thesis showed that the organizations had a high awareness of the smartwatch and the IT security risks brought with it. They all had BYOD policies to restrict/limit access for the smartwatch’s access to their internal networks and a set of technical solutions to prevent breaches in the IT infrastructure and to detect if there had been a breach. The informants claimed that their organizations’ awareness regarding the smartwatch and the concerning IT security was higher than many of their customer businesses, which makes for an interesting subject for future research.

How can these organizations reach the same level of awareness?

Keywords

Smartwatch, IoT, IoT security management, BYOD policy

(3)

Sammanfattning

Med 5G runt hörnet och en generell ökning av både snabbare och stabilare internet så ser framtiden för Internet of Things (IoT) ljus ut. Det pågår en stadig ökning i utvecklingen av IoT-enheter såsom smartklockan, samtidigt som en användandet av IoT ökar både på företag och hos privatpersoner. En verksamhets hantering av smartklockan hamnar under policyn ”Bring your own device” (BYOD) vilket tillåter anställda att använda sina privata enheter i jobbrelaterat syfte. Det verkar finnas en kunskapsbrist hos verksamheter avseende hur man hanterar IoT-enheter, både gällande policy och teknisk IT-säkerhet. Det har skett en ökning av malware attacker (skadlig kod) mot IoT-enheter och en kompromissad smartklocka kan potentiellt användas för att få otillbörlig åtkomst till en verksamhets nätverk. Smartklockan är en vanlig och kraftfull IoT-enhet och kommer att användas som exempel i den här uppsatsen. Syftet med uppsatsen är att undersöka hur verksamheter uppfattar och hanterar IoT-enheter med fokus på smartklockan, för att ta reda på om IoT-enheter såsom smartklockan är ett område som verksamheter arbetar med.

För att förstå smartklockan så är det viktigt att först förstå IoT. I litteraturstudien redogörs både IoT och smartklockors funktionalitet samt säkerhetsaspekter. Vidare beskrivs även BYOD policy och tekniska IT-säkerhetslösningar gällande smartklockan. Litteraturstudien pekade på att det existerar IT-säkerhetsproblem med smartklockan och att implementera en BYOD policy kan öka verksamhetens produktivitet men även öka riskerna med malware attacker, både mot och från de tillåtna enheterna. För att uppfylla uppsatsens syfte utfördes kvalitativa intervjuer med högt uppsatt IT-säkerhetspersonal på IT-orienterade verksamheter, som sedan tematiserades och analyserades. De mest relevanta resultaten diskuteras, avseende smartklockan som ett hot och de relaterade tekniska lösningarna, verksamheternas kundföretags IT-säkerhetsnivå och BYOD policyn.

De empiriska resultaten från uppsatsen visade att verksamheterna som intervjuades hade en hög medvetenhet relaterat till smartklockan och de IT-säkerhetsproblem som den kan medföra. Alla verksamheterna hade en BYOD policy för att begränsa/förbjuda smartklockans åtkomst till deras interna nätverk, samt ett par tekniska lösningar för att förebygga intrång i deras IT-infrastruktur och för att upptäcka om ett intrång redan skett. Informanterna påstod att deras verksamheters medvetenhet kring smartklockan och den relaterade IT-säkerheten var högre kontra flera av deras kundföretags, vilket är ett relevant ämne för framtida forskning. Hur kan dessa verksamheter nå upp till samma nivå av medvetenhet?

(4)

Acknowledgments

A big thanks to our two mentors Lars Magnusson, our white knight against the darkness of malware, and Martin Stengård who has been our guiding hand at Softhouse Consulting. We want to thank everyone who has proofread this thesis in all its versions, especially Victor, the feedback has been greatly appreciated! Finally, we want to thank all our informants for sharing their knowledge and opinions!

2020-06-09, Växjö, Fredrik Årman & Simon Gustavsson

(5)

Appendices

Appendix 1: Interview questions Appendix 2: Consent form Appendix 3: List of abbreviations

(7)

1 Introduction

Imagine walking into your office and with only a slight tap on your wrist, everything around you comes to life. The lightbulbs in your office lamps gradually start to shine, your computer makes a beeping noise and turns itself on, the air conditioner sets itself to a humid 21 degrees, and maybe down the hall, the coffee machine is preparing coffee tailored just the way you like it. This scenario is theoretically (and practically) possible in these modern times, but it comes with a hefty, underestimated price:

ubiquitous network connections. For all of this to work, each and every device must be interconnected and have some sort of network connection. And with a network connection along with some processing power, a big box filled with IT security threats and risks arrive at your organizations’ front desk. Your smartwatch is capable of a great many things, which in turn means that many (not so great) things can happen to your watch, with or without your knowledge. Spoofing, phishing, trojans, and Man in the Middle are terms you might have heard of but never given any thought or consideration. Has your boss? Your organization? The previously mentioned terms are some of the possible ways to exploit your smartwatch. IoT-devices such as the smartwatch bring convenience into our daily lives. They help us manage tasks with speed and efficiency, and they are always at hand. The benefits of smartwatches are numerous, but do they come with any drawbacks? And how are they perceived by organizations?

1.1 Background

”’Internet of Things’ is a collection of “things” embedded with electronics, software, sensors, actuators, and connected via the Internet to collect and exchange data with each other. The IoT devices are equipped with sensors and processing power that enable them to be deployed in many environments.” (Yang, Wu, Yin, Li & Zhao 2017 p. 1250)

Internet of Things (IoT) products are becoming ubiquitous in today’s society according to Tahir, Tahir, and Mcdonald-Maier (2018), everything from your everyday smartwatch to your organization’s air condition sensors is now connected to a network. Johnson and Ketel (2019) illustrate the benefits gained and how different tasks can be streamlined by using IoT devices adapted for each task. For instance, smart fridges reminding the user of what groceries to buy, controlling the smart home environment via Amazon Alexa, and a smartwatch can collect biometric data regarding the user’s health which could be monitored remotely by a doctor. Many IoT devices are small-sized, battery-powered, and resource-constrained concerning hardware and software. This requires communication protocols and security solutions on a device level to be lightweight and power-efficient (Johnson & Ketel, 2019). This is due to wanting to preserve battery time and the small amount of space available for the hardware (Yang et al., 2017).

(8)

The Swedish government has set a goal that 95% of the population in Sweden will have a 100Mbit/s or faster broadband connection in 2020, and at 2025 the goal is to have a fast connection in entire Sweden with stable cloud services of good quality (Näringsdepartementet, 2016). An increase in both a quicker and more stable connection, such as 5G, together with continuous improvement of IoT-products and their hardware will most likely increase the usage of these IoT-devices even more (Malmqvist, 2020).

According to Weber and Rudman (2018), bring your own device (BYOD) is a type of policy suggesting that the employees of an organization are supposed to use privately owned devices in the line of work to perform work tasks. BYOD is gaining popularity among organizations due to reduced costs regarding computers and IT devices, and it increases the productivity of the employees by letting them do work- related tasks on their own, private devices. Weber and Rudman (2018) also claim that organizations implementing BYOD policies are at greater risks from compromised devices due to the difficulties in managing every single privately-owned device used to handle private organizational information. Private smartphones, laptops, or smartwatches are examples of devices falling under the BYOD policy. The authors claim that the common solutions to network security such as firewalls and antivirus are insufficient against devices brought to work by employees and allowed on the organizations’ network.

A field study made by the Swedish contingencies agency (MSB, 2015) revealed that over 40% of the Swedish municipals lack any kind of information security in their risk analysis, and more than 25% lack a clear information security policy. According to Fågelstedt (2018), this does not only concern municipalities but organizations as well. Several companies are unaware of which IoT-units are connected to the organization network, how they should manage the security concerning IoT and some do not realize the consequences of a compromised IoT-unit. A report by the security firm Zscaler (2020) revealed a great increase in IoT traffic (1500%) as well as in IoT- based malware attacks (700%) from the year 2019 to the year 2020 from their customer businesses. They claim that an increase in IoT-devices at organizations has made it harder for the organizations to keep track of all the generated traffic from these devices and that 83% of the traffic is sent unsafe, without the use of SSL. SSL is a safer way of communication to protect the communication from sniffing, MITM, and other types of attacks (see Appendix 3, List of abbreviations for a short explanation of these terms). This regards all manners of IoT-devices, where smartwatches were the third most common device after TV set-top boxes and Smart TVs. The report also claims that the definitions have blurred regarding what a company device used for work and what a private device used for home purposes is.

One example of this is an employee using his private smartwatch to read his work email.

(9)

The smartwatch

The smartwatch is now a common wearable IoT device amongst employees. Every one out of five Americans is now using a smartwatch or a “Fitbit” and in Sweden, over 700 000 people own a wearable (Vogels, 2020; Statista, 2019). In 2018 the global sales were 45 million smartwatches, where Apple owned half of the market share (Peckham, 2019). The projection for the future is a big increase in sales and for 2020 the estimate is over 100 million units sold (Statista, 2020). According to these projections, it is clear that smartwatches are already out there, and they are not leaving anytime soon.

1.2 Problematization

The justification for this subject being relevant is motivated by the fact that IoT- products are increasing in usage both by private citizens and organizations (Dahlqvist, Patel, Rajko & Schulman, 2019).

Multiple studies describe different security mechanisms that are implemented in different IoT devices such as authentication, and encryption (Banerjee, Wright, Juvekar, Waller, Arvind, & Chandrakasan, 2019; Glissa & Meddeb, 2019; Johnson

& Ketel, 2019; Mohamad Noor & Hassan, 2019). The implementation of security mechanisms in the majority of consumer IoT-products raises concerns according to Tahir, Tahir, and Mcdonald-Maier (2018). Ahmed, Nasr, Abdel-Mageid, and Aslan (2019) suggest that the security mechanisms being implemented are insufficient in regard to protecting data and devices from being exploited. Sha, Wei, Andrew Yang, Wang and Shi (2018) suggest that the heterogeneous composition of IoT devices makes them different from one and another, making it difficult to develop and implement security mechanisms and also making different devices vulnerable to different types of threats.

According to Lu et al. (2018) smartwatches are increasing in popularity and functionality. They manage more potentially sensitive user and application data, making smartwatches more attractive to exploit from an attacker’s point of view. A compromised smartwatch could be used by an unauthorized person as an access point into the corporate network in order to perform some kind of attack. Siboni, Shabtai, and Elovici (2018) exemplify how this could be done by infecting a smartwatch with a malicious third-party application that was created by the authors of the study, in order to gain access to private organizational information being sent over the internal network.

It would therefore be interesting to examine how theory relates to a real-life context, and how organizations perceive and manage smartwatches when working with IT security.

(10)

1.3 Aim

The purpose of this thesis is to examine how organizations perceive and manage IoT devices, their use of the “bring your own device” policy with smartwatches as the focus, from an IT security point of view.

1.3.1 Reserch Questions

Derived from the background and purpose statement, this thesis will aim to answer the following research questions:

• How do organizations perceive employee smartwatches regarding the

“bring your own device” policy when working with IT security?

• How do organizations manage employees’ smartwatches regarding the

“bring your own device” policy and their IT security?

1.4 Limitation

The large number of products included in the IoT plethora has made it a too big scope to be examined in this thesis. A smartwatch can supposedly have security issues and is a common IoT-device that falls under the “bring your own device” policy, with a high probability of being present among employees in an organization and will therefore be used as an IoT-device example in the thesis.

1.5 Target audience

This thesis is written for everyone to read as it concerns regular employees as well as organizations. But our primary audience is the employees within organizations that have the power to change or start serious discussions both within the IT department, the IT security department, and the leadership department. This is an issue for these departments due to the technical aspect of IoT and smartwatches, the security policy aspect, and the fact that change comes from leadership.

(11)

2 Litterature study

Understanding IoT will help us understand the smartwatch and so this chapter will first give an overview of IoT-devices, how they are built, their functionality, their implemented security, and security risks. Then we will look at different aspects of the smartwatch so it can serve as an example for the thesis. The last part looks at the BYOD policy and some technical solutions for smartwatch security.

2.1 Overview of IoT and related security issues

The scope of IoT products fathoms several types of objects that can be connected to the internet with the purpose of bringing convenience to the end-user. These products can be smart TVs, thermostats, fridges, smartwatches, or security cameras to name a few (Blythe, Johnson & Manning, 2020). IoT devices are heterogeneous due to the varying composition of hardware, software, source of power, and communication protocols implemented. This differs depending on the purpose of the specific device, for instance, a smart TV requires different, higher-performing hardware and software, contrary to an IoT thermostat (Sha et al., 2018). In regard to IoT device communication, some of the most commonly implemented protocols and technologies are WiFi, Bluetooth Low Energy (BLE), ZigBee (for short-range communication), LTE and 5G for long-range communication. BLE and ZigBee enable IoT devices to connect directly to other devices, WiFi enables IoT devices to connect to a Wireless Local Area Network, LTE and 5G enable IoT devices to connect to the internet via cellular networks (Ding, Nemati, Ranaweera & Choi, 2020).

In order to provide a unified overview of the IoT architecture, an IoT device is divided into three layers consisting of Application, Network, and Physical layers. The naming of these layers may differ depending on the article. These layers overlap with the seven layers of the Open System Interconnection (OSI) model, which is used as a standard for computer network communication. This provides context to how different network technologies and protocols are being implemented in IoT devices (Ruiz-Rosero et al., 2017; Johnson & Ketel, 2019; Lind, 1987).

The seven layers of the OSI model are made up of the Physical layer, Data Link layer, Network layer, Transport layer, Session layer, Presentation layer, and Application layer. The hardware used for network communications such as routers, gateways, network cards, network cables, and the likes is managed in the physical layer.

Communication tables for devices connected to the network and the ports the devices are connected to are regarded in the data link layer. The network layer concerns the network communication protocols in order to provide the routing of data in the network. The handling of packages being sent over the network, meaning to ensure the integrity of the total amount of packages being sent is concerned in the transport layer. The integrity of a session is handled by the session layer. The presentation layer regards the distribution of data into packages or retrieval of data from received packages, furthermore, decryption, and encryption of data are being performed in this layer. The final layer, the application layer regards the protocols that the user interacts with in order to use a device connected to the network (Lind, 1987). Table 1.

illustrates how the three-layer IoT architecture and OSI model overlap and in what

(12)

layer the aforementioned communication protocols and technologies are being implemented in the IoT device.

Table 1: Overview of communication protocols. Adopted from Lind (1987, p. 6) and Ruiz-Rosero et al. (2017, p. 13)

One of the most common security functions implemented in IoT devices is authentication which serves the purpose of only allowing identified users and devices in a network to access the device, this strives to prevent MITM, replay, and Sybil attacks (Appendix 3, List of abbreviations). Some of the communication protocols enabling authentication that are commonly implemented in IoT devices are Zwave, DDS, Zigbee, and MQTT (Mohamad Noor & Hassan, 2019). Another security measure that could be implemented in IoT devices is Datagram Transport Layer Security (DTLS). DTLS is aimed towards resource-limited devices and provides authentication and end-to-end encryption of the communication between the IoT device and other devices (Banerjee et al., 2019). IPv6 in Low-Power Wireless Personal Area Networks (6LowPAN) is a lightweight protocol eligible for hardware constrained IoT devices confined to a limited power source. 6LowPAN provides security by implementing AES-128 end-to-end encryption of the communication between devices (Johnson & Ketel, 2019; Glissa & Meddeb, 2019).

IoT devices differ from a security perspective compared to regular network security due to the extensive complex nature of IoT devices (Alaba, Othman, Hashem &

Alotaibi, 2017; Mohamad Noor & Hassan, 2019; Sha et al., 2018). In regard to security issues coherent to IoT devices, there are different types of issues, not all devices are affected equally by one specific issue and there are many reasons why securing IoT devices is a complex matter. The heterogeneous composition of IoT devices and its intended functionality makes it hard to develop security solutions that suit all different types of IoT devices. Older IoT devices still in use that might not receive software updates anymore confines the device to run outdated software. This is problematic since vulnerabilities in the software are not being addressed. Many IoT devices are compiled of hardware providing limited performance, often battery dependent which requires the hardware and software to be energy efficient. This, in turn, requires the communication protocols and security functions being implemented to be lightweight, which limits the options of eligible security mechanisms that could be implemented. These lightweight security mechanisms and communication protocols provide inferior security compared to the ones being implemented in regular computers and networks (Sha et al., 2018).

(13)

Many of the communication protocols and technologies implemented in IoT devices are susceptible to different types of attacks, at different levels in the IoT three-layer model (Ahmed et al., 2019). Some of the vulnerabilities concerning the physical layer are spoofing, DDoS, Sybil, eavesdropping, Bluesnarfing, Jamming, hardware trojans, and more (Appendix 3, List of abbreviations). The application layer regards the applications and services running on the device, this layer is susceptible to viruses, worms, trojans, malicious applications, XSS, buffer overflows, and more. The network layer regards the device’s means of communication and the protocols being used for this purpose. Some of the threats are MITM attacks, DoS, war dialing, Black hole, and more (Ahmed et al., 2019; Alaba et al., 2017).

If an IoT-product has in one of several ways been attacked by a hacker and become compromised, a short study by DigiCert (2018) showed that the most common consequences for an organization were loss of capital, statutory penalties, and limited production. It is not only interesting for the organizations to protect themselves and their own interests but also their employees and customers, due to the new rules regarding the General Data Protection Regulation (GDPR) and how information security and the employee's personal data should be managed. Private and customer information must be stored in a secure way and the organization has accountability.

Neglecting this can result in both sanctions and fines (Datainspektionen, 2016).

2.2 The smartwatch as an IoT device example

Loomis (2019) suggests that older smartwatches were just an extension of the smartphone on which it was dependent. However, modern smartwatches are becoming more capable of processing, storing, transmitting data, and running applications autonomously due to enhanced and faster hardware being implemented into new models. Some of the common operating systems being implemented into smartwatches are Garmin OS, Apple watchOS, Tizen OS, and Android Wear OS (formerly Android Wear). These OSs are similar compared to the ones implemented in smartphones, enabling the smartwatch user to download, install, and use applications tailored for smartwatches. A technical description of a modern smartwatch “ASUS ZenWatch 2”: incorporates a 1.2 GHz Snapdragon 400 processor, 512 MB of RAM, 4 GB eMMC flash storage, runs Wear OS and communicates via WiFi 802.11 and Bluetooth Low Energy.

Smartwatches can provide a lot of functionalities and usages, e.g. managing, viewing, and responding to SMS, emails, application notifications, phone calls, contacts, calendar, GPS, and maps when paired to a smartphone. This makes smartwatches a convenient tool for swift management of a smartphone. Some models contain sim card readers enabling the smartwatch to get internet access via cellular networks independently of a smartphone (Lu et al., 2018). Smartwatches can also connect to the internet by other means, for instance when connected to a WiFi or when paired to a smartphone via a Bluetooth connection (Siboni, Shabtai & Elovici, 2018; Loomis, 2019). In order to provide the functionalities mentioned above, smartwatches can implement multiple sensors combined in one device, which could include GPS, gyroscope, microphone, camera, heart-rate monitor, accelerometer, and more.

Furthermore, many applications and services intended for smartwatches make use of both the smartwatch's internal memory and cloud storage as a means of saving and

(14)

accessing generated user data (Do, Martini & Choo, 2017; Loomis, 2019). According to Lee, Yang, and Kwon (2018), the stored data could be sensitive by nature and concerns user data from applications running on the smartwatch as well as applications running on a paired smartphone. This applies to the three biggest smartwatch OSs; Wear OS, watchOS, and Tizen (Samsung). For instance, if a smartwatch is used to read emails the smartwatch might save that information in the local memory, often without notifying the user.

Bluetooth and WiFi are the most common means of communication for smartwatches (Loomis, 2019). The Bluetooth stack implements some security mechanisms such as security modes, trust modes, security services, and built-in security features (Lonzetta, Cope, Campbell, Mohd & Hayajneh, 2018). According to Rana, Abdulla, and Arun (2020) WiFi implements security protocols such as WiFi Protected Access (WPA) and WiFi Protected Access 2 (WPA2). These protocols handle device authentication and encryption of the communication over the wireless network.

According to the Apple platform security (2020) documentation, the Apple Watch Series 3 or later has security mechanisms implemented into the hardware, providing encryption of data being read or written. According to Android developers docs guide (2020), application developer documents, third-party Wear OS application developers are provided a couple of functions for user authentication that can be implemented.

For instance, Google Sign-in, OAuth 2.0 support, Pass tokens via data layer, and Custom code Authentication.

2.3 Security issues concerning smartwatches

As aforementioned, many IoT devices, smartwatches included, use Bluetooth Low Energy (BLE), in order to connect to and communicate with other devices, for instance when pairing to and communicating with a smartphone. Bluetooth is considered vulnerable to MITM attacks and eavesdropping, this is due to the way encryption keys of the data packages are being exchanged between the paired devices (Lonzetta et al., 2018; Melamed, 2018). This opens up for an external attacker to capture the data packages and the coherent encryption keys while eavesdropping the Bluetooth connection between two devices and then decrypt the captured data.

Further, this enables the attacker to modify the data being sent between the devices, performing a MITM attack, which could result in the attacker being able to take control of the smartphone and it´s implemented functions (Melamed, 2018). Lonzetta et al. (2018) suggest that updating the Bluetooth firmware in IoT devices running older versions of the Bluetooth protocols would improve the security which from the end-user point of view could be difficult.

Furthermore, some of the operating systems used in smartwatches enable the user to install third-party applications, which increases the possibility of malicious applications being installed on the smartwatch (Do, Martini & Choo, 2017). Siboni, Shabtai, Tippenhauer, Lee, and Elovici (2016) illustrated how smartwatches can be used as rouge access points to the network in a corporate environment by installing two different malicious applications, written by the authors, on two different smartwatches. These applications were posing as regular fitness applications to the end-user, performing the advertised functionality, seeming to work in perfect order.

However, the applications were covertly running malicious code in the background

(15)

in a way that a normal user would never be aware of nor discover. The tests performed by Siboni et al. (2016) were carried out in a room containing a delimited WiFi- network and test equipment in order to provide a controlled test environment free from interference by devices not included in the scope of the test.

In a test case by Siboni et al. (2016), one of the smartwatches was infected with a malicious application, the attack was initiated when the user wearing the smartwatch was present at the given coordinates, the test environment, at a specific time. The application was covertly running a modified version of the Nmap tool, adapted to run on Android Wear. Nmap is used to perform port scans on networks in order to map out all the devices connected to the network. The attack successfully mapped out the connected devices, what ports were opened and closed for each device, and what internal IP-address each device was assigned. The smartwatch then sent the result of the scan to a cloud storage server where the attacker could access it. This provides the attacker with great detailed information regarding what the network looks like, and what devices are susceptible to further exploitation (Siboni et al., 2016). In the test case illustrated by Siboni, Shabtai, and Elovici (2018) a smartwatch was prepared with a malicious application, and when initiated the smartwatch maps out the network in order to find a suitable device to mimic later. In the test environment, a WiFi-direct printer was present, after mapping the network the result is stored in the smartwatch and later uploaded to a cloud storage point for the attacker to review. In the next step, the attacker sent instructions to the malicious application on the smartwatch to mimic the printers SSID (service set identifier), making the smartwatch appear with the same name on the network as the printer. Hence the smartwatch can receive print jobs meant for the real printer and store print jobs internally in the smartwatch memory.

When the smartwatch then connects to the internet by paring with a smartphone or the internal cellular network connectivity the stored print jobs are uploaded to a cloud storage point of the attackers choosing (Siboni, Shabtai & Elovici, 2018). These are some of the ways the smartwatch can gain access to an organization’s internal data.

2.4 Bring your own device

Bring your own device (BYOD) can best be described as policies adopted in organizations concerning the implementation of employees using their own personal laptops, tablets, smartphones, and other mobile technical devices in the line of work to perform work-related tasks. This approach is gaining popularity among organizations due to some of the benefits it provides such as reduced company costs;

in regard to computers, smartphones, and other mobile devices for the employees, increased productivity, and employee satisfaction (Weber & Rudman, 2018; Otti, 2018). Despite the potential benefits that could be reaped by adopting BYOD policies into an organization, there are numerous risks associated with letting employees use their own personal devices to access the organizational network and sensitive organizational information that should be considered private. For instance, both Android Marketplace and Apple App Store provide a huge number of smartphone and smartwatch applications, and it would be an impossible task for these providers to review the source code of all applications in order to clean out malicious applications. Since the employees own their devices and use them both for work, to access potentially sensitive corporate information, and for private purposes, they are free to install and use whatever apps they desire on their devices. This increases the

(16)

risk of malicious applications being installed on the devices, which could result in theft of sensitive information, devices being exploited as a rouge access points into the corporate network by an attacker, deployment of malware into the corporation's systems and/or attackers taking control of the corporation's network and or systems.

From a legal perspective, BYOD is also restraining the corporation in several aspects, for instance, if a device is lost or stolen the corporation usually lacks the rights and or means to remotely wipe the device from its content. Furthermore, the applications the employees use to perform work-related tasks may be licensed for private use only, which could result in legal consequences for the corporation (Weber & Rudman, 2018; Otti, 2018).

2.5 Suggested security mitigations concerning BYOD policy and smartwatches

Authors of the previously referenced articles i.e. Siboni et al. (2016), Weber and Rudman (2018), and Lonzetta et al. (2018) suggest several means that could be implemented in organizations in order to mitigate possible security risks regarding smartwatches in an organizational environment.

BYOD and policy

Weber and Rudman (2018) suggest that BYOD policies should be designed to implement the COBIT-5 processes, to clarify and enforce rules of usage and related behavior, which will be monitored by the organization. COBIT-5 is a framework developed to map out organizational needs concerning technical issues, business risks, and control requirements. This serves as a foundation for managing IT aspects of the organization and implementing relevant security measures. The organization also needs to provide education and support for the employees in order to mitigate the risk of employees breaching the security rules defined in the BYOD policy. It is proposed that the organization provides software for the device in order to access networks and work systems in a secure manner. It is also suggested that technical solutions regarding device authentication, data encryption, and anti-malware should be provided. According to Bello, Murray, and Armarego (2017), there is also a legal perspective for organizations to deal with regarding BYOD. Organizations must consider both security and privacy policies because if the corporate, customer, or private data leaks, it must be determined who is accountable.

Bluetooth

Lonzetta et al. (2018) suggest that it is hard to prevent all attacks associated with Bluetooth. Therefore, the IoT users need to increase their own knowledge concerning present security risks and security features implemented in the device they wish to purchase. The user should also keep up to date with new releases of manufacturer firmware and security patches for their devices. The users should use their device in a safe manner, such as not pairing a smartphone with a smartwatch in an area where potential attackers could monitor the process. Furthermore, Lonzetta et al. (2018) suggest that the manufacturers of IoT devices are responsible for developing new solutions with safety in mind, mitigating existing threats, providing the user with software updates for their devices, and documentation helping the user to secure their devices.

(17)

Smartwatch

Siboni et al. (2016) presents an abstract design for the development of a security testbed framework in order to provide a secluded simulation environment identical to the organizational environment where the smartwatch would be present. The purpose of this testbed was to execute penetration tests, security tests, scanning the device for vulnerabilities, and check if the device at its present state has been compromised in some way, such as containing installed malicious applications.

Security acceptance and monitoring network

Siboni, Shabtai, and Elovici (2018) propose that the organization performs security acceptance testing of each smartwatch subject to being used within the organization before allowing the device to be present in the office environment. Real-time monitoring of the organization network should be performed in order to detect irregular, deviant network traffic in regard to the connected smartwatches, and scanning for WiFi Access Points (AP) to check if new rouge AP’s are present.

Segregated and virtual networks

Ferraris, Fernandez-Gago, Daniel, and Lopez (2019) suggest that smart homes housing several IoT devices connected to a single main network which computers, laptops, and tablets also connect to, is problematic. The IoT devices can gain access to all the other non-IoT devices on the network. In order to mitigate the risk posed by potentially compromised IoT devices towards other devices on the same network, it’s proposed that segregated networks should be implemented. By implementing networks separated from one and another the IoT devices can be confined to its own network inhibiting the IoT devices from accessing devices on the main network.

Furthermore, it’s suggested that industrial systems architecture concerning which devices are allowed to connect to which network should be implemented. This would provide the network owners the ability to ban and prevent suspicious or misbehaving devices from accessing the networks. According to Leal (2015), this is a solution not only for smart homes but also for organizations. Network segregation is one of the ISO 27001 (Appendix 3, List of abbreviations) controls and it proposes that organizations segment their networks into several layers.

Alabady, Al-Turjman, and Din (2018) suggests that implementing Virtual Local Area Networks (VLAN) is one way to increase security by dividing one big local network into several separate virtual networks, segregated from each other. This enables the network administrator to manage access control over all connected devices and for instance confine a certain type of device, such as IoT devices, to a specific network.

This inhibits potentially insecure devices in one virtual network to communicate with other devices on one of the other virtual networks.

(18)

3 Methodology

This chapter discloses the scientific approach and methodology used to conduct the survey. Furthermore, it describes the collection of data and the following analysis.

Finally, the validity, reliability and relevant ethical considerations of the survey is discussed.

3.1 Scientific approach

Jacobsen (2017) suggests that there are different approaches and methodologies that can be applied when undertaking research. The qualitative methodology aims to collect deep immeasurable data, often through interviews, in contrast to the quantitative methodology which focuses on large numbers of measurable data often collected by a questionnaire.  A qualitative approach was deemed the best option to gather the data required to answer the research questions because it provides deep and vivid data. The authors of this thesis have studied previously published articles in the field of IoT-security and smartwatches to consolidate the research questions of this thesis in order to later collect data.

Qualitative interviews provided an opportunity for the interviewer to ask follow up questions to gain more extensive data and uncover aspects that might have been overlooked in a quantitative study. The interviewees were also given a chance to extend their answers in more detail which provided more descriptive data from which more accurate conclusions could be drawn.

3.2 Data collection

The collection of data was concluded by strategically selecting informants for qualitative interviews using semi-structured and open questions.

3.2.1 Selection

In regard to the purpose statement of this thesis, the authors assumed that the most qualified staff in a company or organization to provide rich and adequate answers would be high ranking IT security personnel. It was assumed that eligible informants would be working in tech organizations or IT departments, these organizations could be presumed to be highly dependent on their IT infrastructure. The selected informants would most likely have the knowledge required to provide relevant answers to the interview and explain their thoughts and opinions regarding the research questions. Six organizations in the field of tech were chosen, ranging from IT management, IT consulting, and software development. They were approached via email to find an employee with the corresponding role as mentioned above, to conduct interviews. Two organizations provided two employees for the interviews, making it six organizations but eight interviewees. All the eight interviewees either currently work with IT security, information security, or have a head of a department role that requires vast IT security knowledge. A strategic choice of informants supposedly possessing relevant knowledge, was made by the authors of this thesis which is one of the selection choices a researcher can make in a qualitative approach, according to Jacobsen (2017).

(19)

3.2.2 Qualitative interviews

The interview questions were composed from scratch, serving as a semi-structured platform for qualitative individual interviews consisting of a total of 27 questions. A pilot-interview was created to test if the questions were understood and yielded relevant data, if a one-hour meeting was enough to conduct the interview, to test the audio recording device, to remove unnecessary questions and if needed add new ones, all according to Chenail (2009, pp. 16-17) and Creswell (2014, p. 207).

There were no major changes made after the pilot-interview, only some small reformulating of the questions. The questions were divided into five topics,

“Introduction”, “IT department and organization”, “Security policy”, “IoT and security risks” and “Your thoughts and opinions”, (Appendix 1, Interview questions).

The Introduction questions aimed to provide a context concerning the interviewees’

role as a professional, level of experience, and a general picture of the organization.

The IT department and organization questions were formulated to obtain a more specific illustration of the present IT infrastructure and the related practices to keep it secure. The Security policy questions were meant to examine if the organization had a security policy in place, how different types of IT security threats were perceived, and how this was practically implemented by the employees. Sub questions related to IoT and security risks aimed at bringing clarity to whether IoT devices and smartwatches were covered by the security policy and how such devices were managed and perceived. Questions related to “Your thoughts and opinions” intended to obtain knowledge concerning whether there was a best practice implemented to mitigate smartwatches from being used to compromise the organization’s network and other thoughts the informants had regarding smartwatches. During the work process of transcribing and reviewing the interviews, follow up questions that weren't asked during the interview came to mind. These complementary questions were sent out and responded to via email by two of the eight informants.

3.3 Analysis

Jacobsen (2017) suggests that the process of analyzing the collected data can be divided into a couple of steps; documentation, systematization and categorization, and finally combination. Documentation suggests that the collected data is described in its complete form, rendering all the details, for instance by transcribing audio recordings. Systematization and categorization imply that the transcriptions are purged from irrelevant data and categorized to make the data comparable. The combination regarded the comparison of collected and formatted data to find similarities and draw conclusions.

The approach taken to analyze the qualitative interviews followed the aforementioned steps. The interviews were transcribed soon after each interview was recorded. First, the transcriptions were corrected from colloquial language and reduced to an orderly format that could then be thematized. Since the data collected during the interviews consisted of open answers, often provided explanations and personal experiences from the interviewees the data had to be interpreted by the authors. To compare the answers of the interviews, a framework was established to do so by thematizing the questions asked during the interviews. After the thematization, the answers of the interviews were compared and analyzed to draw conclusions. This was done by

(20)

examining if there were similarities and or deviations between the different interviews, and if so, how could differing contexts or circumstances factor into the interviewees’ differing opinions? The results were then compared to the findings in the literature review to examine whether the result diverged from what could be learned from the literature review.

3.4 Validity and reliability

“Qualitative validity means that the researcher checks for the accuracy of the findings by employing certain procedures.”

(Creswell, 2014, p. 295)

To determine the validity of the research results, several different means can be incorporated to do so, for instance by declaring bias coherent to the author, vividly describing the findings, or peer debriefing (Creswell, 2014). The writers of this thesis chose to declare author bias, use peer debriefing, and provide vivid descriptions of the findings to evaluate the validity of this thesis. The authors intended to approach this thesis objectively without pre held assumptions that could be the cause of bias. It was uncertain if true objectivity was met throughout this thesis, therefore we discuss researcher bias, further disclosed in chapter 6.2. The findings have been described as extensively as possible regarding the confidentiality of the informants and organizations alike. Throughout this thesis, there have been continuous open dialogs with our two mentors who have also reviewed the work and returned feedback. The peer debriefing was motivated since receiving continuous feedback regarding the work being performed would provide indicators of whether the validity of this thesis was high or low. The peer reviewers both have expert knowledge regarding IT security and their feedback helped validate the interview questions and ensuring relevant questions was being asked.

“Qualitative reliability indicates that a particular approach is consistent across different researchers and different projects.”

(Creswell, 2014, p 294)

Several different means can be incorporated to evaluate the reliability of the results.

Some of these would be cross-checking the meaning of codes for comparing results, establishing that the codes are intact throughout development, and checking transcriptions for misinterpretations (Creswell, 2014).

The transcriptions have been compared to the recorded interviews to discover potential misunderstandings. This was motivated to keep data intact and correct regarding what was actually said in the interviews. The coding, or in this thesis, themes were cross-checked between the authors to establish a unified view of what the themes suggested. This was motivated to avoid discrepancies in the findings that could have affected the results.

(21)

3.5 Ethical considerations

A good ethical approach has been maintained by working openly and truthfully.

According to Denscombe (2018), the researchers need to seek objectivity and neutrality, which the authors have strived to be by interpreting the answers without bias and comparing all the answers under the same prerequisites/conditions. The authors of this thesis have tried to avoid being affected by the opinions of the informants during the interviews and the analysis. Knowing your own bias and prejudice beforehand can help towards both objectivity and neutrality (Denscombe, 2018). According to Pannucci and Wilkins (2010), there always exists a bias, whether known or unknown, as a researcher/interviewer and in the study itself. The writers of this thesis have tried their utmost to ask open questions without hinting at any preferable answers through wording or body language and to write correctly reproduced answers and opinions of the informants according to Vetenskapsrådet (2017).

Full anonymization could not be guaranteed due to the identities of the informants are known to the authors, but all sensitive information, company and organization names, as well as informant identities will be kept confidential.

Before the interviews the interviewees were informed of the purpose of the interview, they also received the interview questions to determine whether they wanted to participate or not. The interviewees were also informed that their identity and employer would be anonymized in the thesis and the informants would only be referred to as “informant X”. The records of the interviews and identity were subject to short-term storage in accordance with the guidelines of the Linnaeus University.

Furthermore, the interviewees were presented with a consent form stating the aforementioned information, (Appendix 2, Consent form). The organizations were described in the thesis by general, vague, non-identifiable information, intended only to illustrate contexts and settings. The reason for this was that the interviews could potentially illustrate sensitive areas concerning IT security related work and practices that were not to be linked to any organization nor interviewee.

(22)

4 Empirical results

This chapter will delve into the empirical findings from the interviews in five parts.

The four following parts have been thematized for an easier overview and a better structure. The fifth part concerns the opinions of the informant's regarding their organization's customer businesses.

Contextual overview

The eight interviewees will be referred to as informants A through H. Informants D and E were interviewed together, and informants F and H were interviewed together.

All six of the organizations are active in the tech business, in branches such as IT, IT- consulting with different areas of expertise, or they deliver and manage products such as content management systems, IoT-devices, or software development. The interviewed informants have all worked with IT security, either as a consultant, information security role or as head of the IT/Security-department. The themes were categorized after the interview questions in order to structure the empirical data in a logical manner. The quotes from the informants have been translated from Swedish to English.

4.1 The organizations awareness of smartwatch security issues

All the informants stated that they were aware of smartwatches being a threat to the organizations but with some difference regarding how much of a threat they actually are. Informant A declared that his organization enforced authentication requirements on smartphones when using work-related applications, he added that if an employee had paired the smartphone to a smartwatch, the smartwatch was not as secure as the smartphone. He suggested that it would be possible for the watch to gather information from the smartphone. The applications mentioned were work email, contacts, and calendar. Six of the eight informants had not considered that the applications in the smartwatch could potentially access and read work email.

Informant A also stated that he considered smartwatches quite harmful and that they could be used as an access point into an organizations’ network.

“For me, it is very likely that we will see attackers using

smartwatches to hack into corporate networks. Actually, we can presume that advanced attackers are already using that as a way in.”, said informant A.

Informant C expressed that smartwatches and IoT-products in general, are a security risk, but specifically the notifications that a smartwatch could receive from a paired smartphone was not perceived as a risk because his employees had very limited access to work-related applications on their smartphones and the applications they could use were confined in a virtual sandbox. The sandbox makes the work-related applications safe from unauthorized access by other applications. He added that all private devices brought to work would only be allowed to connect to the guest network that had no connection to the organizational network which would render the devices harmless for the organization.

(23)

Informant B perceived the risks concerning smartwatches as limited but clarified that he was more worried about other IoT-products such as smart radiators, smart lamps, and smart ventilation. The reasoning behind this was that the aforementioned devices were meant to exist in one place for a long time and they rarely receive any software updates, he claimed. Any loopholes or breaches made to the software in such a product would probably not be dealt with, neither by updated software nor a new and improved product, he added. This differs from the smartwatch because they get updates with continuity, and they are often replaced within a 1-2 year lifespan with a newer smartwatch. He added that although smartwatches receive continued software updates it was not often enough to deal with new issues and threats.

Informant D declared that he considered the smartwatch a risk, given that the device is not thoroughly reviewed, and a security check of the watch has been performed. If you know what type of hardware and software you are dealing with, it can be managed, he added. “I think you need to review the smartwatch, so you know how it operates, and how easy it can be to hijack the Bluetooth communication” said informant D.

“The smartwatch is really just an extension of the smartphone” informant E said and continued to explain how he thought the smartwatch is a risk but since it is so closely connected to the smartphone it is not much of a concern for the organization. The concern lies more with the smartphone and not the watch, due to the fact that the phone is a lot more powerful when it comes to both hardware and software, he added.

IoT and private devices are a constant and recurring subject, said informant G. The more functionality the device provides, the more on edge we need to be, she claimed.

“We have not talked specifically about smartwatches, but more in general about private and exterior devices. If there is a device we do not recognize, it does not gain access to our network “, she added.

Following the above statement informant H added:

“Another part of this is data loss prevention from these devices.

We are currently working on that because there are a lot of IoT devices around us and that is always a risk”.

4.2 The organizations perception of smartwatches concerning their IT-infrastructure

All the informants stated that the implications of a compromised smartwatch could be a security risk for their respective organizations. The risk varied from low to high where most informants considered it a moderate risk. The eight informants also declared that their respective organization’s leadership understood the severity of an IT security breach and what negative consequences it could cause to the organization.

Three informants claimed that their leadership did not always understand the technical aspect of it. The organizations classify their information in three or four categories:

public, internal, customer, and some use secret/restricted. All the informants stated that the customer information and data are the most relevant type of data and therefore

(24)

require extensive protection. “We also manage customer data which is our biggest responsibility. It can be very sensitive” said informant A.

Two of the informants claimed that the threat from a compromised smartwatch would be of low risk to the organization’s IT-infrastructure due to the limited hardware, lack of processing power, and lack of a SIM card for exfiltrating data. Informant B stated that the lack of processing power residing in a smartwatch minimizes the potential of attacks such as DDoS (Appendix 3, List of abbreviations).

Informant A stated that the smartwatch is essentially a computer with all its components and if compromised it could be used as a gateway into an organization network.

“A smartwatch is essentially a computer with CPU, RAM, storage, a network connection, and so on. This implicates that if malicious code gets into the smartwatch it can do some pretty serious things and become a gateway into the organizations’

network” said informant A.

All eight of the informants suggested that they thought many of the employees within their organizations did not consider the smartwatch as some kind of security risk. In this regard, Informant A stated that it is important for the organization to be one step ahead and make sure that the organization is protected and secured against the risks coherent to the smartwatch. He added that it is not possible for every employee to be aware of every potential security risk. Informant B suggested that this was also true for other IoT devices such as a Smart TV or a Raspberry Pi, and similar products used in the day to day activities at the office. All the IoT devices are connected to a network and most employees do not consider them a risk because they don’t understand the technical aspects and the implications of a compromised device, he went on. “I don’t believe that many of our employees think about TVs and speakers as IoT devices and what that means, and therefore these devices are a security risk.” said informant B.

Informant E declared that he was clueless as to why insecure products such as smartwatches are allowed to be produced and marketed. He added that the increasing number of IoT-products, most of them lacking security measures, could potentially not only affect an organizations’ IT-infrastructure but due to the devices being ubiquitous, they could become a national threat or even global. Imagine if they compromise enough IoT-devices to bring down “BankID” he stated. The lack of security in many IoT products is due to the restricted power supply that batteries provide, but it is possible to implement security functions in these devices, informant E claimed. The reason this is not being implemented is due to the costs of developing security functions and the negative impact this would have on the battery life, he continued.

“I perceive a very obvious risk, that our sensitive information ends up in the wrong place. If they somehow enter our network, they can eavesdrop on our communication. If they map ports, they could potentially gain access to login information and an

(25)

employee account, and somehow enter our network that way”

said informant H.

Informant C expressed that bringing your own device to work is not only bad for security, but for the organizations’ tax and liability as well. If the privately-owned device, such as a smartwatch or smartphone, gets stolen and contains company information stored on it, the organization must be able to remotely erase the information. Informant C also stated that this was problematic because it would be hard to determine who owns the device and who owns the information on it.

Regarding this subject, informant H stated:

“We can access our work mail on private devices today. That is something we are working to prohibit. We need more control over the applications that give permission and access to our customer business data because it is a risk. We need to own the applications in your private smartphone so that we can make demands”.

4.3 Preventing smartwatch security issues

The eight informants stated that their organizations are working with preventing the security risks from smartwatches, although smartwatches were not specifically pointed out according to their respective organizations’ security policies. The smartwatch was instead included in the security policy under a more general category called “Bring your own device”. This category included other devices such as private smartphones and private laptops.

“Private devices fall under the bring your own device category.

It manages which devices you are allowed to use and what network they are allowed to connect to. In our organization, they are on the third and lowest level which means they cannot access our internal resources and can only connect to the guest

network” claimed informant B.

All informants suggested that their organizations’ security policy was well-grounded, and all the employees had continuous training and education in this regard. Four organizations had yearly updates in the security policy education and the other two could not specify how often they had such sessions, but it was more than once. There was no clear answer to how the organizations follow up that their employees comply with the policy rules. All of the informants claimed that it was an individual responsibility among the employees to comply with the policy rules.

When discussing how to prevent risks concerning the smartwatch, informant E stated:

“The problem with security issues that affect the organizations is that the most serious ones, you will never hear about. They are a commodity! They don’t get leaked to the press, but they are sold in secrecy. It is big business”.

(26)

He added that to work preventively, directives must come from the leadership in the organization.

Six of the informants from five organizations mentioned ISO 27000 and ISO 27001 as information security management systems standards their organizations follow and try to fulfill. It is unclear if the last organization followed an ISO standard.

All of the organizations used technical solutions to prevent and detect IT security breaches as well as reducing errors made by humans.

“It is lucky for us to have a clever IT-department that works with technical solutions with the goal of making it harder to commit human usage errors. It is important for our employees to understand that they as individuals are the biggest vulnerability when it comes to data loss, phishing and other breaches in our IT security" stated informant G.

The most common technical solutions will be presented in the next part.

4.4 Common technical solutions

In this regard, the informants proposed several solutions, which included: network segregation and virtual networks, monitoring their organization’s networks, authentication for both network devices and applications, and the disallowance of using private devices for work tasks, which went under “BYOD” policy.

All the informants declared that their respective organizations used segregated (segmented) and virtual networks to protect their information and data. Each of the organizations had at least three separate (segmented) networks, but three of the organizations used four or more. The common three were one open network for guests/visitors and often employee devices such as smartphones or smartwatches. The second was an internal network for the organizations’ computers and devices that needed access to manage and store internal private data, and the third one was a restricted network for customer data/information. Three organizations used more separation (segmentation) depending on their needs such as customer-specific or project-specific separation. “We use virtual networks within our datacenters and separate the networks between our customers in order to protect their information and limit the access to that which we deem necessary”, said informant F.

Each of the informants stated that the respective organization they work for, monitor the organization’s own networks, both incoming and outgoing traffic in real-time. A lot of different tools are used for monitoring, and the tools used differ between the organizations. The tools utilized do the same things: network scanning, code analysis, DNS-observations, and network traffic logging. “If suspicious traffic is detected or if there is an incident there are guidelines for how to handle it”, stated informant B.

Several of the informants expressed that user authentication is required in order to connect to certain networks, one of them being the wireless network. Informant B said they used two-way factor authentication and VPN when working from home to be able to remotely connect to the organizational networks in a secure way.

Bring your own device - a concern for organizations?: A thesis about tech organizations awareness and management of smartwatches